CVE-2024-14002
📋 TL;DR
Nagios XI versions before 2024R1.1.4 contain an authenticated local file inclusion vulnerability in the NagVis integration. Authenticated users can manipulate path parameters to read arbitrary files from the server, potentially exposing sensitive system information. This affects all Nagios XI deployments using vulnerable versions.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker reads sensitive files like /etc/passwd, /etc/shadow, configuration files, or database credentials, leading to privilege escalation or complete system compromise.
Likely Case
Authenticated user with malicious intent reads configuration files containing credentials or sensitive system information, enabling lateral movement or data exfiltration.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure from files accessible to the web server user.
🎯 Exploit Status
Requires authenticated access and knowledge of NagVis parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024R1.1.4 or later
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup current Nagios XI configuration. 2. Download latest version from Nagios customer portal. 3. Run upgrade script: ./upgrade -n. 4. Verify upgrade completion.
🔧 Temporary Workarounds
Disable NagVis Integration
allTemporarily disable NagVis integration if not required for operations.
Navigate to Admin > System Extensions > Manage Components, disable NagVis
Restrict User Access
allLimit authenticated user access to only necessary personnel and implement least privilege.
Review and tighten user permissions in Nagios XI admin interface
🧯 If You Can't Patch
- Implement strict access controls and monitor authenticated user activity
- Deploy web application firewall rules to block LFI patterns in NagVis requests
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version in Admin > About. If version is earlier than 2024R1.1.4, system is vulnerable.Check Version:
cat /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
After upgrade, verify version shows 2024R1.1.4 or later in Admin > About.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in NagVis component logs
- Multiple failed file inclusion attempts
Network Indicators:
- HTTP requests to NagVis endpoints with suspicious path parameters
SIEM Query:
source="nagios_logs" AND (uri="*nagvis*" AND (path="*../*" OR path="*/etc/*"))